If you have attended any branch of Indiana University since the fall of 2017, you are most likely familiar with the two-step login system known as Duo Security.

The sometimes-bothersome double take on who is logging in to your school account can seem as more of a burden than useful, but similar the rising costs of parking passes, there is a reason for the process.

According to Daniel Calarco, chief of staff for the vice president for information technology and CIO at Indiana University, the entire school system has “seen a reduction in fraudulent access to systems behind [two-factor authentication] reduced by over 99.9 percent” over the past several semesters.

“We had Duo for things like financial transactions before the 2016 Staff Portal phishing scam,” Calarco said. “But we definitely did expand its use to additional systems and audiences as a direct result of this scam.”

Calarco is referring to the 2016 scam that sent thousands of IU staff and student emails posing as messages or surveys from the school.

Having opened the message and clicked the attached link, nearly 800 were scammed by giving up their usernames and passphrases to unauthorized accounts.

This process of bait-and-hook scamming is known as phishing.

“A few months before the phish, there was a survey of large research intensive universities like IU,” Calarco said. “The vast majority stated that they planned on rolling out 2 Factor Authentication (2FA) in the next year, and the majority of those stated they planned on using Duo as their 2FA solution.

With the two-step login now required for access to Canvas, One.IU and much more, Indiana University has yet to experience a scam of that magnitude, thanks in part to Duo Security.

Preventing Phishers

Though phishing scams can come off as easily avoidable, determining which emails are valid and which are not is not always quite obvious.

This is where Duo comes into play.

“Basically, if someone falls for a phish scam or accidentally provides their passphrase to a third party, the person’s account will still require Duo during the login process, keeping the bad guys out,” Nick Ray, executive director of information technology at IU Southeast, said.

Ray has been an advocate for the two-factor authentication login for years and although not every site on the internet requires access from Duo, “most everyone is using 2FA in their everyday life and may not even notice”.

From online bank access to Google, sites with personal information have jumped on the opportunity to implement Duo-like systems.

Besides the typical firewalls and virtual private networks, IU Southeast takes extra precautions in an attempt to secure its students’ data.

“UITS Communications runs IU-wide educational campaigns like ‘Think Before You Click,’ which encourages everyone to try and determine the legitimacy of an email before clicking a link in the message,” Ray said.

With the “Think Before You Click” initiative underway, Calarco recommends three key ways to avoid being phished:

1. Actually thinking before you click – “Hover over links and ensure you go to the right place, or even better, if it’s from a service you know, just go to the URL of that service (i.e. google.com, one.iu.edu, amazon.com, etc.) and then search or navigate from there.”
2. Use the two-factor authentication system – “IU uses Duo for two-factor authentication for most IU systems but you can also use your IU Duo app for other sites like Facebook, Amazon, Google and many more.”
3. Contact the sender – “If you know the person who sent you the suspicious message give them a call or go see them if you can.  It’s safer than contacting them over email in case their account has been compromised.”

Indiana University, being one of the largest universities in the country with nearly 115,000 students, can easily become a target for phishers wanting to conduct a mass scam.

Calarco’s says being cautious when clicking links should be a must for anyone using the internet.  

For questions regarding your data security, go to One.IU and search My Security Center to review settings for your account.